Certain information used inside certain organizations is not suitable for distribution outside of those organizations. For example, records containing sensitive content such as personally identifiable information (PII) typically need redaction before publication. The PII can include, for example, persons' names, addresses, social security numbers, birth dates, or account numbers. It is often mandatory for organizations to remove or mask any such information to protect privacy. In the redaction, a conventional system can mask the PII using various search and replace techniques. For example, the system can identify PII using pattern matching. The conventional techniques sometimes under-mask, letting PII pass through unmasked, or over-mask, masking non-PII information, reducing usability of the data.